iPXE
|
X.509 certificates. More...
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <errno.h>
#include <assert.h>
#include <ipxe/list.h>
#include <ipxe/base16.h>
#include <ipxe/asn1.h>
#include <ipxe/crypto.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/rsa.h>
#include <ipxe/rootcert.h>
#include <ipxe/certstore.h>
#include <ipxe/privkey.h>
#include <ipxe/socket.h>
#include <ipxe/in.h>
#include <ipxe/image.h>
#include <ipxe/ocsp.h>
#include <ipxe/x509.h>
#include <config/crypto.h>
Go to the source code of this file.
Functions | |
FILE_LICENCE (GPL2_OR_LATER_OR_UBDL) | |
static void | x509_free (struct refcnt *refcnt) |
Free X.509 certificate. More... | |
const char * | x509_name (struct x509_certificate *cert) |
Get X.509 certificate display name. More... | |
static int | x509_parse_version (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate version. More... | |
static int | x509_parse_serial (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate serial number. More... | |
static int | x509_parse_issuer (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate issuer. More... | |
static int | x509_parse_validity (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate validity. More... | |
static int | x509_parse_common_name (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate common name. More... | |
static int | x509_parse_subject (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate subject. More... | |
static int | x509_parse_public_key (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate public key information. More... | |
static int | x509_parse_basic_constraints (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate basic constraints. More... | |
static int | x509_parse_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate key usage. More... | |
static int | x509_parse_key_purpose (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate key purpose identifier. More... | |
static int | x509_parse_extended_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate extended key usage. More... | |
static int | x509_parse_ocsp (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate OCSP access method. More... | |
static struct x509_access_method * | x509_find_access_method (const struct asn1_cursor *oid) |
Identify X.509 access method by OID. More... | |
static int | x509_parse_access_description (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate access description. More... | |
static int | x509_parse_authority_info_access (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate authority information access. More... | |
static int | x509_parse_subject_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate subject alternative name. More... | |
static struct x509_extension * | x509_find_extension (const struct asn1_cursor *oid) |
Identify X.509 extension by OID. More... | |
static int | x509_parse_extension (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate extension. More... | |
static int | x509_parse_extensions (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate extensions, if present. More... | |
static int | x509_parse_tbscertificate (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate tbsCertificate. More... | |
int | x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw) |
Parse X.509 certificate from ASN.1 data. More... | |
int | x509_certificate (const void *data, size_t len, struct x509_certificate **cert) |
Create X.509 certificate. More... | |
static int | x509_check_signature (struct x509_certificate *cert, struct x509_public_key *public_key) |
Check X.509 certificate signature. More... | |
int | x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer) |
Check X.509 certificate against issuer certificate. More... | |
void | x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint) |
Calculate X.509 certificate fingerprint. More... | |
int | x509_check_root (struct x509_certificate *cert, struct x509_root *root) |
Check X.509 root certificate. More... | |
int | x509_check_time (struct x509_certificate *cert, time_t time) |
Check X.509 certificate validity period. More... | |
int | x509_is_valid (struct x509_certificate *cert, struct x509_root *root) |
Check if X.509 certificate is valid. More... | |
static void | x509_set_valid (struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root) |
Set X.509 certificate as validated. More... | |
int | x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root) |
Validate X.509 certificate. More... | |
static int | x509_check_dnsname (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name) |
Check X.509 certificate alternative dNSName. More... | |
static int | x509_check_ipaddress (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name) |
Check X.509 certificate alternative iPAddress. More... | |
static int | x509_check_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name) |
Check X.509 certificate alternative name. More... | |
int | x509_check_name (struct x509_certificate *cert, const char *name) |
Check X.509 certificate name. More... | |
static void | x509_free_chain (struct refcnt *refcnt) |
Free X.509 certificate chain. More... | |
struct x509_chain * | x509_alloc_chain (void) |
Allocate X.509 certificate chain. More... | |
int | x509_append (struct x509_chain *chain, struct x509_certificate *cert) |
Append X.509 certificate to X.509 certificate chain. More... | |
int | x509_append_raw (struct x509_chain *chain, const void *data, size_t len) |
Append X.509 certificate to X.509 certificate chain. More... | |
void | x509_truncate (struct x509_chain *chain, struct x509_link *link) |
Truncate X.509 certificate chain. More... | |
static struct x509_certificate * | x509_found (struct x509_chain *store, struct x509_certificate *cert) |
Mark X.509 certificate as found. More... | |
struct x509_certificate * | x509_find (struct x509_chain *store, const struct asn1_cursor *raw) |
Identify X.509 certificate by raw certificate data. More... | |
struct x509_certificate * | x509_find_subject (struct x509_chain *store, const struct asn1_cursor *subject) |
Identify X.509 certificate by subject. More... | |
struct x509_certificate * | x509_find_issuer_serial (struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial) |
Identify X.509 certificate by issuer and serial number. More... | |
struct x509_certificate * | x509_find_key (struct x509_chain *store, struct private_key *key) |
Identify X.509 certificate by corresponding public key. More... | |
int | x509_auto_append (struct x509_chain *chain, struct x509_chain *store) |
Append X.509 certificates to X.509 certificate chain. More... | |
int | x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root) |
Validate X.509 certificate chain. More... | |
int | image_x509 (struct image *image, size_t offset, struct x509_certificate **cert) |
Extract X.509 certificate object from image. More... | |
REQUIRING_SYMBOL (x509_validate) | |
REQUIRE_OBJECT (certstore) | |
REQUIRE_OBJECT (config_crypto) | |
Variables | |
static uint8_t | oid_common_name [] = { ASN1_OID_COMMON_NAME } |
"commonName" object identifier More... | |
static struct asn1_cursor | oid_common_name_cursor |
"commonName" object identifier cursor More... | |
static uint8_t | oid_code_signing [] = { ASN1_OID_CODESIGNING } |
"id-kp-codeSigning" object identifier More... | |
static uint8_t | oid_ocsp_signing [] = { ASN1_OID_OCSPSIGNING } |
"id-kp-OCSPSigning" object identifier More... | |
static struct x509_key_purpose | x509_key_purposes [] |
Supported key purposes. More... | |
static uint8_t | oid_ad_ocsp [] = { ASN1_OID_OCSP } |
"id-ad-ocsp" object identifier More... | |
static struct x509_access_method | x509_access_methods [] |
Supported access methods. More... | |
static uint8_t | oid_ce_basic_constraints [] |
"id-ce-basicConstraints" object identifier More... | |
static uint8_t | oid_ce_key_usage [] |
"id-ce-keyUsage" object identifier More... | |
static uint8_t | oid_ce_ext_key_usage [] |
"id-ce-extKeyUsage" object identifier More... | |
static uint8_t | oid_pe_authority_info_access [] |
"id-pe-authorityInfoAccess" object identifier More... | |
static uint8_t | oid_ce_subject_alt_name [] |
"id-ce-subjectAltName" object identifier More... | |
static struct x509_extension | x509_extensions [] |
Supported certificate extensions. More... | |
X.509 certificates.
The structure of X.509v3 certificates is documented in RFC 5280 section 4.1.
Definition in file x509.c.
#define ENOTSUP_ALGORITHM __einfo_error ( EINFO_ENOTSUP_ALGORITHM ) |
#define EINFO_ENOTSUP_ALGORITHM __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" ) |
#define ENOTSUP_EXTENSION __einfo_error ( EINFO_ENOTSUP_EXTENSION ) |
#define EINFO_ENOTSUP_EXTENSION __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" ) |
#define EINVAL_ALGORITHM __einfo_error ( EINFO_EINVAL_ALGORITHM ) |
#define EINFO_EINVAL_ALGORITHM __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" ) |
#define EINVAL_ALGORITHM_MISMATCH __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH ) |
#define EINFO_EINVAL_ALGORITHM_MISMATCH __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" ) |
#define EINVAL_PATH_LEN __einfo_error ( EINFO_EINVAL_PATH_LEN ) |
#define EINFO_EINVAL_PATH_LEN __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" ) |
#define EINVAL_VERSION __einfo_error ( EINFO_EINVAL_VERSION ) |
#define EINFO_EINVAL_VERSION __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" ) |
#define EACCES_WRONG_ISSUER __einfo_error ( EINFO_EACCES_WRONG_ISSUER ) |
#define EINFO_EACCES_WRONG_ISSUER __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" ) |
#define EACCES_NOT_CA __einfo_error ( EINFO_EACCES_NOT_CA ) |
#define EINFO_EACCES_NOT_CA __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" ) |
#define EACCES_KEY_USAGE __einfo_error ( EINFO_EACCES_KEY_USAGE ) |
#define EINFO_EACCES_KEY_USAGE __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" ) |
#define EACCES_EXPIRED __einfo_error ( EINFO_EACCES_EXPIRED ) |
#define EINFO_EACCES_EXPIRED __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" ) |
#define EACCES_PATH_LEN __einfo_error ( EINFO_EACCES_PATH_LEN ) |
#define EINFO_EACCES_PATH_LEN __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" ) |
#define EACCES_UNTRUSTED __einfo_error ( EINFO_EACCES_UNTRUSTED ) |
#define EINFO_EACCES_UNTRUSTED __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" ) |
#define EACCES_OUT_OF_ORDER __einfo_error ( EINFO_EACCES_OUT_OF_ORDER ) |
#define EINFO_EACCES_OUT_OF_ORDER __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" ) |
#define EACCES_EMPTY __einfo_error ( EINFO_EACCES_EMPTY ) |
#define EINFO_EACCES_EMPTY __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" ) |
#define EACCES_OCSP_REQUIRED __einfo_error ( EINFO_EACCES_OCSP_REQUIRED ) |
#define EINFO_EACCES_OCSP_REQUIRED __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" ) |
#define EACCES_WRONG_NAME __einfo_error ( EINFO_EACCES_WRONG_NAME ) |
#define EINFO_EACCES_WRONG_NAME __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" ) |
#define EACCES_USELESS __einfo_error ( EINFO_EACCES_USELESS ) |
#define EINFO_EACCES_USELESS __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" ) |
FILE_LICENCE | ( | GPL2_OR_LATER_OR_UBDL | ) |
|
static |
Free X.509 certificate.
refcnt | Reference count |
Definition at line 132 of file x509.c.
References container_of, free, x509_certificate::root, and x509_root_put().
Referenced by x509_certificate().
const char* x509_name | ( | struct x509_certificate * | cert | ) |
Get X.509 certificate display name.
cert | X.509 certificate |
name | Display name |
Definition at line 146 of file x509.c.
References x509_subject::common_name, asn1_cursor::data, digest_algorithm::digestsize, len, asn1_cursor::len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().
Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_ocsp_validate(), validator_progress(), validator_start_download(), validator_start_ocsp(), validator_step(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().
|
static |
Parse X.509 certificate version.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 183 of file x509.c.
References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_integer(), DBGC, DBGC2, DBGC_HDA, EINVAL_VERSION, memcpy(), raw, rc, strerror(), x509_certificate::version, and version.
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate serial number.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 223 of file x509.c.
References ASN1_INTEGER, asn1_shrink(), DBGC, DBGC2, DBGC2_HDA, memcpy(), raw, rc, serial, x509_certificate::serial, and strerror().
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate issuer.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 248 of file x509.c.
References ASN1_SEQUENCE, asn1_shrink(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, x509_certificate::issuer, asn1_cursor::len, memcpy(), raw, x509_issuer::raw, rc, and strerror().
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate validity.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 273 of file x509.c.
References asn1_enter(), asn1_generalized_time(), ASN1_SEQUENCE, asn1_skip_any(), DBGC, DBGC2, memcpy(), x509_validity::not_after, x509_validity::not_before, raw, rc, strerror(), x509_time::time, and x509_certificate::validity.
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate common name.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 316 of file x509.c.
References asn1_compare(), asn1_enter(), asn1_enter_any(), ASN1_OID, ASN1_SEQUENCE, ASN1_SET, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, DBGC_HDA, asn1_cursor::len, memcpy(), oid_common_name_cursor, raw, rc, and x509_certificate::subject.
Referenced by x509_parse_subject().
|
static |
Parse X.509 certificate subject.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 364 of file x509.c.
References asn1_shrink_any(), asn1_cursor::data, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), raw, x509_subject::raw, rc, x509_certificate::subject, x509_name(), and x509_parse_common_name().
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate public key information.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 391 of file x509.c.
References x509_public_key::algorithm, algorithm, asn1_enter(), asn1_pubkey_algorithm(), ASN1_SEQUENCE, asn1_shrink_any(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), x509_subject::public_key, raw, x509_public_key::raw, x509_public_key::raw_bits, rc, strerror(), and x509_certificate::subject.
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate basic constraints.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 436 of file x509.c.
References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_INTEGER, asn1_integer(), ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), x509_extensions::basic, x509_basic_constraints::ca, DBGC, DBGC2, DBGC_HDA, EINVAL, x509_certificate::extensions, memcpy(), x509_basic_constraints::path_len, raw, rc, strerror(), and X509_PATH_LEN_UNLIMITED.
|
static |
Parse X.509 certificate key usage.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 498 of file x509.c.
References x509_key_usage::bits, bytes, asn1_bit_string::data, DBGC, DBGC2, x509_certificate::extensions, len, asn1_bit_string::len, x509_key_usage::present, raw, rc, strerror(), and x509_extensions::usage.
|
static |
Parse X.509 certificate key purpose identifier.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 557 of file x509.c.
References asn1_compare(), asn1_enter(), ASN1_OID, x509_extended_key_usage::bits, x509_key_purpose::bits, DBGC, DBGC2, DBGC_HDA, x509_extensions::ext_usage, x509_certificate::extensions, memcpy(), x509_key_purpose::name, x509_key_purpose::oid, raw, rc, and x509_key_purposes.
Referenced by x509_parse_extended_key_usage().
|
static |
Parse X.509 certificate extended key usage.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 596 of file x509.c.
References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_key_purpose().
|
static |
Parse X.509 certificate OCSP access method.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 622 of file x509.c.
References asn1_enter(), x509_extensions::auth_info, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, memcpy(), x509_authority_info_access::ocsp, raw, rc, x509_ocsp_responder::uri, and X509_GENERAL_NAME_URI.
|
static |
Identify X.509 access method by OID.
oid | OID |
method | Access method, or NULL |
Definition at line 661 of file x509.c.
References asn1_compare(), method, NULL, x509_access_method::oid, and x509_access_methods.
Referenced by x509_parse_access_description().
|
static |
Parse X.509 certificate access description.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 682 of file x509.c.
References asn1_enter(), ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), DBGC2, memcpy(), method, raw, rc, and x509_find_access_method().
Referenced by x509_parse_authority_info_access().
|
static |
Parse X.509 certificate authority information access.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 715 of file x509.c.
References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_access_description().
|
static |
Parse X.509 certificate subject alternative name.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 742 of file x509.c.
References x509_extensions::alt_name, asn1_enter(), ASN1_SEQUENCE, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, asn1_cursor::len, memcpy(), x509_subject_alt_name::names, raw, rc, and strerror().
|
static |
Identify X.509 extension by OID.
oid | OID |
extension | Extension, or NULL |
Definition at line 818 of file x509.c.
References asn1_compare(), NULL, x509_extension::oid, and x509_extensions.
Referenced by x509_parse_extension().
|
static |
Parse X.509 certificate extension.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 839 of file x509.c.
References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_OCTET_STRING, ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), DBGC, DBGC2, DBGC_HDA, ENOTSUP_EXTENSION, memcpy(), x509_extension::name, x509_extension::parse, raw, rc, strerror(), and x509_find_extension().
Referenced by x509_parse_extensions().
|
static |
Parse X.509 certificate extensions, if present.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 907 of file x509.c.
References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_extension().
Referenced by x509_parse_tbscertificate().
|
static |
Parse X.509 certificate tbsCertificate.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 934 of file x509.c.
References algorithm, asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_shrink_any(), asn1_signature_algorithm(), asn1_skip_any(), asn1_type(), DBGC, DBGC2, memcpy(), raw, rc, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, x509_parse_extensions(), x509_parse_issuer(), x509_parse_public_key(), x509_parse_serial(), x509_parse_subject(), x509_parse_validity(), and x509_parse_version().
Referenced by x509_parse().
int x509_parse | ( | struct x509_certificate * | cert, |
const struct asn1_cursor * | raw | ||
) |
Parse X.509 certificate from ASN.1 data.
cert | X.509 certificate |
raw | ASN.1 cursor |
rc | Return status code |
Definition at line 1004 of file x509.c.
References asn1_enter(), asn1_integral_bit_string(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_bit_string::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_bit_string::len, memcpy(), raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().
Referenced by certstore_init(), and x509_certificate().
int x509_certificate | ( | const void * | data, |
size_t | len, | ||
struct x509_certificate ** | cert | ||
) |
Create X.509 certificate.
data | Raw certificate data |
len | Length of raw data |
cert | X.509 certificate |
rc | Return status code |
On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().
Definition at line 1070 of file x509.c.
References asn1_shrink_any(), certstore_add(), data, asn1_cursor::data, ENOMEM, len, asn1_cursor::len, memcpy(), NULL, raw, rc, ref_init, x509_find(), x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().
|
static |
Check X.509 certificate signature.
cert | X.509 certificate |
public_key | X.509 public key |
rc | Return status code |
Definition at line 1120 of file x509.c.
References x509_public_key::algorithm, x509_signature::algorithm, algorithm, assert(), digest_algorithm::ctxsize, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, digest_final(), digest_init(), digest_update(), digest_algorithm::digestsize, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, asn1_algorithm::name, asn1_algorithm::pubkey, pubkey_verify(), x509_public_key::raw, rc, signature, x509_certificate::signature, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, and x509_name().
Referenced by x509_check_issuer().
int x509_check_issuer | ( | struct x509_certificate * | cert, |
struct x509_certificate * | issuer | ||
) |
Check X.509 certificate against issuer certificate.
cert | X.509 certificate |
issuer | X.509 issuer certificate |
rc | Return status code |
Definition at line 1174 of file x509.c.
References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, x509_subject::raw, x509_issuer::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().
Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().
void x509_fingerprint | ( | struct x509_certificate * | cert, |
struct digest_algorithm * | digest, | ||
void * | fingerprint | ||
) |
Calculate X.509 certificate fingerprint.
cert | X.509 certificate |
digest | Digest algorithm |
fingerprint | Fingerprint buffer |
Definition at line 1234 of file x509.c.
References ctx, digest_algorithm::ctxsize, asn1_cursor::data, digest_final(), digest_init(), digest_update(), asn1_cursor::len, and x509_certificate::raw.
Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().
int x509_check_root | ( | struct x509_certificate * | cert, |
struct x509_root * | root | ||
) |
Check X.509 root certificate.
cert | X.509 certificate |
root | X.509 root certificate list |
rc | Return status code |
Definition at line 1252 of file x509.c.
References DBGC, DBGC2, digest_algorithm::digestsize, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().
Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().
int x509_check_time | ( | struct x509_certificate * | cert, |
time_t | time | ||
) |
Check X.509 certificate validity period.
cert | X.509 certificate |
time | Time at which to check certificate |
rc | Return status code |
Definition at line 1284 of file x509.c.
References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().
Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().
int x509_is_valid | ( | struct x509_certificate * | cert, |
struct x509_root * | root | ||
) |
Check if X.509 certificate is valid.
cert | X.509 certificate |
root | Root certificate list, or NULL to use default |
Definition at line 1310 of file x509.c.
References root, x509_certificate::root, and root_certificates.
Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().
|
static |
Set X.509 certificate as validated.
cert | X.509 certificate |
issuer | Issuing X.509 certificate (or NULL) |
root | Root certificate list |
Definition at line 1326 of file x509.c.
References assert(), x509_extensions::basic, x509_certificate::extensions, NULL, x509_basic_constraints::path_len, x509_certificate::path_remaining, root, x509_certificate::root, x509_root_get(), and x509_root_put().
Referenced by x509_validate().
int x509_validate | ( | struct x509_certificate * | cert, |
struct x509_certificate * | issuer, | ||
time_t | time, | ||
struct x509_root * | root | ||
) |
Validate X.509 certificate.
cert | X.509 certificate |
issuer | Issuing X.509 certificate (or NULL) |
time | Time at which to validate certificate |
root | Root certificate list, or NULL to use default |
rc | Return status code |
The issuing certificate must have already been validated.
Validation results are cached: if a certificate has already been successfully validated then issuer
, time
, and root
will be ignored.
Definition at line 1363 of file x509.c.
References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().
Referenced by ocsp_validate(), and x509_validate_chain().
|
static |
Check X.509 certificate alternative dNSName.
cert | X.509 certificate |
raw | ASN.1 cursor |
name | Name |
rc | Return status code |
Definition at line 1437 of file x509.c.
References DBGC2, ENOENT, len, name, raw, strchr(), strlen(), strncasecmp(), and x509_name().
Referenced by x509_check_alt_name(), and x509_check_name().
|
static |
Check X.509 certificate alternative iPAddress.
cert | X.509 certificate |
raw | ASN.1 cursor |
name | Name |
rc | Return status code |
Definition at line 1478 of file x509.c.
References address, AF_INET, AF_INET6, DBGC, DBGC2, DBGC_HDA, EINVAL, ENOENT, memcmp(), name, raw, rc, sa, sockaddr::sa_family, sin, sin6, sockaddr_in6::sin6_addr, sockaddr_in::sin_addr, sock_aton(), sock_ntoa(), strerror(), and x509_name().
Referenced by x509_check_alt_name().
|
static |
Check X.509 certificate alternative name.
cert | X.509 certificate |
raw | ASN.1 cursor |
name | Name |
rc | Return status code |
Definition at line 1529 of file x509.c.
References asn1_enter_any(), asn1_type(), asn1_cursor::data, DBGC2, DBGC2_HDA, ENOTSUP, asn1_cursor::len, memcpy(), name, raw, type, x509_check_dnsname(), x509_check_ipaddress(), X509_GENERAL_NAME_DNS, X509_GENERAL_NAME_IP, and x509_name().
Referenced by x509_check_name().
int x509_check_name | ( | struct x509_certificate * | cert, |
const char * | name | ||
) |
Check X.509 certificate name.
cert | X.509 certificate |
name | Name |
rc | Return status code |
Definition at line 1561 of file x509.c.
References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().
Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().
|
static |
Free X.509 certificate chain.
refcnt | Reference count |
Definition at line 1595 of file x509.c.
References assert(), container_of, DBGC2, free, x509_chain::links, list_empty, NULL, and x509_truncate().
Referenced by x509_alloc_chain().
struct x509_chain* x509_alloc_chain | ( | void | ) |
Allocate X.509 certificate chain.
chain | X.509 certificate chain, or NULL |
Definition at line 1612 of file x509.c.
References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().
Referenced by cms_parse_participants(), cms_parse_signed(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().
int x509_append | ( | struct x509_chain * | chain, |
struct x509_certificate * | cert | ||
) |
Append X.509 certificate to X.509 certificate chain.
chain | X.509 certificate chain |
cert | X.509 certificate |
rc | Return status code |
Definition at line 1635 of file x509.c.
References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, x509_get(), x509_name(), and zalloc().
Referenced by cms_parse_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().
int x509_append_raw | ( | struct x509_chain * | chain, |
const void * | data, | ||
size_t | len | ||
) |
Append X.509 certificate to X.509 certificate chain.
chain | X.509 certificate chain |
data | Raw certificate data |
len | Length of raw data |
rc | Return status code |
Definition at line 1660 of file x509.c.
References data, len, rc, x509_append(), and x509_put().
Referenced by cms_parse_certificates(), tls_parse_chain(), and validator_append().
void x509_truncate | ( | struct x509_chain * | chain, |
struct x509_link * | link | ||
) |
Truncate X.509 certificate chain.
chain | X.509 certificate chain |
link | Link after which to truncate chain, or NULL |
Definition at line 1690 of file x509.c.
References free, link, x509_chain::links, x509_link::list, list_del, list_entry, list_for_each_entry_safe_continue, tmp, and x509_put().
Referenced by validator_append(), x509_free_chain(), and x509_test_exec().
|
static |
Mark X.509 certificate as found.
store | Certificate store |
cert | X.509 certificate |
cert | X.509 certificate |
Definition at line 1712 of file x509.c.
References assert(), NULL, and x509_certificate::store.
Referenced by x509_find(), x509_find_issuer_serial(), x509_find_key(), and x509_find_subject().
struct x509_certificate* x509_find | ( | struct x509_chain * | store, |
const struct asn1_cursor * | raw | ||
) |
Identify X.509 certificate by raw certificate data.
store | Certificate store, or NULL to use default |
raw | Raw certificate data |
cert | X.509 certificate, or NULL if not found |
Definition at line 1732 of file x509.c.
References asn1_compare(), certstore, link, list_for_each_entry, NULL, raw, x509_certificate::raw, x509_certificate::store, and x509_found().
Referenced by certstore_init(), and x509_certificate().
struct x509_certificate* x509_find_subject | ( | struct x509_chain * | store, |
const struct asn1_cursor * | subject | ||
) |
Identify X.509 certificate by subject.
store | Certificate store, or NULL to use default |
subject | Subject |
cert | X.509 certificate, or NULL if not found |
Definition at line 1761 of file x509.c.
References asn1_compare(), certstore, link, list_for_each_entry, NULL, x509_subject::raw, x509_certificate::store, x509_certificate::subject, and x509_found().
Referenced by x509_auto_append().
struct x509_certificate* x509_find_issuer_serial | ( | struct x509_chain * | store, |
const struct asn1_cursor * | issuer, | ||
const struct asn1_cursor * | serial | ||
) |
Identify X.509 certificate by issuer and serial number.
store | Certificate store, or NULL to use default |
issuer | Issuer |
serial | Serial number |
cert | X.509 certificate, or NULL if not found |
Definition at line 1791 of file x509.c.
References asn1_compare(), certstore, x509_certificate::issuer, link, list_for_each_entry, NULL, x509_issuer::raw, x509_serial::raw, serial, x509_certificate::serial, x509_certificate::store, and x509_found().
Referenced by cms_parse_identifier().
struct x509_certificate* x509_find_key | ( | struct x509_chain * | store, |
struct private_key * | key | ||
) |
Identify X.509 certificate by corresponding public key.
store | Certificate store, or NULL to use default |
key | Private key |
cert | X.509 certificate, or NULL if not found |
Definition at line 1821 of file x509.c.
References certstore, key, link, list_for_each_entry, NULL, privkey_cursor(), asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, x509_certificate::subject, and x509_found().
Referenced by cms_keypair_okx(), cms_recipient(), and tls_new_certificate_request().
int x509_auto_append | ( | struct x509_chain * | chain, |
struct x509_chain * | store | ||
) |
Append X.509 certificates to X.509 certificate chain.
chain | X.509 certificate chain |
store | Certificate store, or NULL to use default |
rc | Return status code |
Certificates will be automatically appended to the chain based upon the subject and issuer names.
Definition at line 1854 of file x509.c.
References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_certificate::store, x509_append(), x509_find_subject(), and x509_last().
Referenced by cms_parse_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().
int x509_validate_chain | ( | struct x509_chain * | chain, |
time_t | time, | ||
struct x509_chain * | store, | ||
struct x509_root * | root | ||
) |
Validate X.509 certificate chain.
chain | X.509 certificate chain |
time | Time at which to validate certificates |
store | Certificate store, or NULL to use default |
root | Root certificate list, or NULL to use default |
rc | Return status code |
Definition at line 1894 of file x509.c.
References DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, x509_auto_append(), and x509_validate().
Referenced by cms_verify_signer(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().
int image_x509 | ( | struct image * | image, |
size_t | offset, | ||
struct x509_certificate ** | cert | ||
) |
Extract X.509 certificate object from image.
image | Image |
offset | Offset within image |
cert | X.509 certificate |
next | Offset to next image, or negative error |
On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().
Definition at line 1947 of file x509.c.
References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().
Referenced by cert_exec().
REQUIRING_SYMBOL | ( | x509_validate | ) |
REQUIRE_OBJECT | ( | certstore | ) |
REQUIRE_OBJECT | ( | config_crypto | ) |
|
static |
|
static |
"commonName" object identifier cursor
Definition at line 173 of file x509.c.
Referenced by x509_parse_common_name().
|
static |
|
static |
|
static |
Supported key purposes.
Definition at line 537 of file x509.c.
Referenced by x509_parse_key_purpose().
|
static |
|
static |
Supported access methods.
Definition at line 646 of file x509.c.
Referenced by x509_find_access_method().
|
static |
"id-ce-basicConstraints" object identifier
|
static |
"id-ce-keyUsage" object identifier
|
static |
"id-ce-extKeyUsage" object identifier
|
static |
"id-pe-authorityInfoAccess" object identifier
|
static |
"id-ce-subjectAltName" object identifier
|
static |
Supported certificate extensions.
Definition at line 783 of file x509.c.
Referenced by x509_find_extension().